Microsoft has confirmed that a known nation-state threat actor tracked as Storm-0062 has been actively exploiting a critical zero-day vulnerability in Atlassian Confluence Data Center and Server products since mid-September 2023. The disclosure, made on October 10, reveals a sustained cyberespionage campaign that operated for nearly three weeks before Atlassian issued its public advisory and emergency patches on October 4.
The Threat Landscape
The vulnerability, designated CVE-2023-22515, is a remotely exploitable privilege escalation flaw affecting on-premises instances of Confluence Server and Confluence Data Center. Microsoft attributed the exploitation to Storm-0062, an advanced persistent threat group also tracked as DarkShadow or Oro0lxy, which multiple sources link to China’s Ministry of State Security. The group has been observed conducting cyberespionage operations targeting government agencies, technology companies, and critical infrastructure providers.
What makes this campaign particularly concerning is the timeline. Storm-0062 began exploiting the vulnerability on September 14, a full three weeks before Atlassian’s public disclosure. During this window, the threat actor had exclusive access to exploit vulnerable Confluence instances across the internet, creating unauthorized administrator accounts to establish persistent access to compromised environments.
Core Principles
The attack leverages a privilege escalation mechanism that allows any device with network connectivity to a vulnerable Confluence application to create a new Confluence administrator account. This means the attacker gains full administrative control over the collaboration platform — including access to all spaces, pages, attachments, and user data stored within the instance. Atlassian warned that instances on the public internet are particularly at risk, as the vulnerability can be exploited anonymously.
Organizations must understand a critical caveat: if a Confluence instance has already been compromised, simply applying the patch will not remove the attacker’s access. Threat actors routinely establish multiple persistence mechanisms — including backdoor accounts, scheduled tasks, and modified configuration files — that survive the upgrade process. A thorough forensic review is essential before considering a patched system clean.
Tooling and Setup
Atlassian has released patched versions 8.3.3, 8.4.3, and 8.5.2 to address CVE-2023-22515. Organizations should immediately upgrade all Confluence Data Center and Server instances to one of these fixed versions or later. Microsoft shared four IP addresses associated with the exploit traffic, which security teams can use to query their firewall and proxy logs for historical indicators of compromise.
For organizations unable to patch immediately, isolating vulnerable Confluence applications from the public internet provides critical interim protection. Network-level controls — including VPN-only access, IP whitelisting, and web application firewall rules — can reduce the attack surface while patches are tested and deployed. Security teams should also audit all administrator accounts on Confluence instances for any unauthorized or suspicious entries.
Ongoing Vigilance
The Confluence zero-day campaign highlights the growing sophistication of nation-state threat actors in identifying and weaponizing vulnerabilities in widely deployed enterprise collaboration tools. Platforms like Confluence are high-value targets because they serve as central repositories for organizational knowledge — containing strategic plans, technical documentation, personnel records, and proprietary information.
Security teams should implement continuous monitoring for anomalous administrative activity on all collaboration platforms, including unexpected account creation, unusual login locations, and bulk data exports. Regular vulnerability scanning and rapid patch management cycles remain the most effective defense against zero-day campaigns, particularly for internet-facing applications that process sensitive information.
Final Takeaway
The Storm-0062 campaign against Confluence demonstrates that the window between vulnerability discovery and exploitation continues to narrow. Organizations must treat collaboration platforms as critical infrastructure requiring the same security rigor applied to financial systems and authentication services. With the threat landscape evolving rapidly and Bitcoin trading at roughly $27,391, maintaining robust cybersecurity fundamentals is non-negotiable for organizations operating in the digital economy.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
China using a wiki collaboration tool as an espionage vector is both terrifying and deeply creative. every confluence instance is basically a treasure trove of internal docs
storm-0062 had three weeks of unimpeded access before atlassian said anything. three weeks in your confluence instance is basically game over
three weeks of unimpeded access and most orgs dont even rotate credentials after patching. the initial access is what matters, persistence is assumed at that point
opsec_crane_ you are spot on. our IR team treated the patch as the finish line and found webshells planted 12 days earlier that nobody noticed
persistence is assumed. most IR teams treat patching as the finish line when its really just the starting line
we patched within 48 hours of the advisory but the scan showed indicators of compromise going back weeks. scary stuff
Tomasz N. same experience here. our confluence had indicators for 19 days before we even knew to look. MSS-backed ops dont leave obvious traces
three weeks of access to internal wikis, roadmaps, credentials, meeting notes. the intel value alone is worth more than any single data breach
three weeks of access to internal wikis and roadmaps. the competitive intel value alone is worth more than any ransomware payout
19 days of unrestricted access to every confluence page, jira ticket and internal doc. most companies still dont know how to even detect this kind of persistence
MSS using a wiki tool for state espionage is peak 2023 energy. the vulnerability was open for 3 weeks and nobody at atlassian thought to check if it was already being exploited
china’s MSS running cyberespionage through collaboration software. 2023 really was the year of everything everywhere all at once